Re: Mambo Open Source, Path disclosure

[Vasiliy <security () gugol ru>]

alireza hassani wrote:
> Demonstration URL :

> --------------------
> http://www.example.com/mambo/index.php?option=com_content&task=section&id=1&Itemid=PATH

  I've just tried this on one of my "vulnerable" Mambo installations 
and got nothing, but the blank screen. I wonder why this happened?.. 
Could it be because of displaying php errors turned off as it should be 
done in any production environment?


> Solution:
> --------------------
> There is no vendor-supplied patch for this issue at
> this time but we are not advising you to upgrade to
> Joomla because Mambo, version 4.5.3, will be released
> soon ( by the end of November this year).
> 4.5.3 represents the new Team’s first consolidation
> of bug fixes and includes a number of security
> enhancements. 

  Isn't this "solution" somewhat overcomplicated? If someone wants to 
workaround this bug, it's not necessary to upgrade. It would be enough 
just to follow basic security principles.

--
wbr,
Vasiliy